Name:Windows Computer Account Requesting Kerberos Ticket id:fb3b2bb3-75a4-4279-848a-165b42624770 version:4 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network. Data_source:
-Windows Event Log Security 4768
search:`wineventlog_security` EventCode=4768 TargetUserName="*$" src_ip!="::1" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required. known_false_positives:It is possible false positives will be present based on third party applications. Filtering may be needed. References: -https://github.com/Dec0ne/KrbRelayUp drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Kerberos Attacks' - 'Local Privilege Escalation With KrbRelayUp' asset_type:Endpoint confidence:70 impact:50 message:A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack. mitre_attack_id: - 'T1558' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'dest' - 'subject' - 'action' - 'Supplied_Realm_Name' - 'user' - 'Account_Name' - 'src_ip' risk_score:35 security_domain:endpoint
